TCP Handshake

What the handshake does

TCP is connection-oriented. Before any application data is sent, both sides must agree on sequence numbers and confirm that the path works in both directions.

That exchange is called the three-way handshake. It moves the session from no state to an established TCP connection.

Three steps

1. SYN

The client starts the connection and proposes an initial sequence number.

2. SYN-ACK

The server acknowledges the client's SYN and sends its own sequence number.

3. ACK

The client acknowledges the server's SYN-ACK. The connection is now established.

Packet flow

Client → SYN → Server
Server → SYN-ACK → Client
Client → ACK → Server

Why this matters under attack

Before the final ACK arrives, the server may already allocate temporary state for the connection attempt. That state can include queue entries, timers and memory.

A SYN flood abuses exactly this point. The attacker sends large numbers of SYN packets but does not complete the handshake, forcing the target to keep state for connections that never become real sessions.

What breaks first

Half-open connection tables fill up
Listen queues become saturated
State-heavy firewalls waste CPU and memory
Legitimate users fail to establish new connections

Common defenses

SYN cookies reduce how much temporary state must be stored before the handshake completes. Stateless validation and early packet filtering reduce the number of packets that ever reach the TCP stack.

This is why high-PPS attacks are often handled outside traditional firewall state tables. Once packet rate is high enough, stateful processing becomes the bottleneck.